问题
I'm using Windows 7 and I'd like to monitor for new Process Create events. (i.e. get an entry for each process that's created, with full details about it.) I succeeded in doing this in Procmon, but I want to do it in the shell, and get text output without a GUI.
Is there a CLI command that does that? e.g. I could tell it "Please list all events of the type so-and-so with a path of so-and-so" and it'll run indefinitely, writing details of these processes to stdout?
回答1:
You can build your own using the Microsoft.Diagnostics.Tracing.TraceEvent nuget package. It's a wrapper over ETW (Event Tracing for Windows) events, and its developed my Microsoft.
Here is some sample C# Console Application code that displays all process Start and Stop events:
using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
namespace ProcMon
{
class Program
{
static void Main(string[] args)
{
if (TraceEventSession.IsElevated() != true)
{
Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
return;
}
using (var session = new TraceEventSession("whatever"))
{
// handle console CTRL+C gracefully
Console.CancelKeyPress += (sender, e) => session.Stop();
// we filter on events we need
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
session.Source.Kernel.ProcessStart += data =>
{
Console.WriteLine("START Id:" + data.ProcessID + " Name:" + data.ProcessName);
};
session.Source.Kernel.ProcessStop += data =>
{
// stop has no name
Console.WriteLine("STOP Id:" + data.ProcessID);
};
// runs forever, press CTRL+C to stop
session.Source.Process();
}
}
}
}
回答2:
Wtrace is okay: https://github.com/lowleveldesign/wtrace/
I was able to use it to find the creation of a new process and see the command line arguments.
来源:https://stackoverflow.com/questions/52725830/command-line-version-of-procmon